skip to main content
Caltech
Information Management Systems and Services
IMSS  /  Services  /  Information Security  /  Security for IT Staff  /  Creating SSH keys

Creating SSH keys

For many years the most common format for ssh keys has been RSA. But there are newer formats that are more resistant to quantum cracking.

IMSS recommends using ECDSA and NIST-P384 for new keys. ECDSA is widely adopted and allows for the same or better security than RSA keys but with smaller key sizes.

Mac or Linux

To create a new key on Linux or Mac, use the following command and be sure to use a passphrase of reasonable length and complexity:

ssh-keygen -t ecdsa -b 384 -f ~/.ssh/id_ecdsa -C "[email protected]"

Please be sure to keep your private key private. As a reminder, the permissions for your .ssh directory should be "drwx------" and your key should be "-rw-------". The public half of your key can be readable, e.g. "-rw-r--r--".

Windows

For Windows users, the command is similar but the default file location is a little different:

cd c:\users\%username%\.ssh
ssh-keygen -t ecdsa -b 384 -f id_ecdsa -C "[email protected]"

Windows users should not have to change the directory or key permissions after running that command. But if you need to verify the permissions, you can use the "icacls" command. The permissions should be as follows:

  • On the private key, id_ecdsa:
    • user has Modify NTFS permissions;
    • Administrators and SYSTEM have FULL NTFS permissions.
  • On the public key, id_ecdsa.pub:
    • EVERYONE has Read NTFS permissiosn;
    • user has Modify NTFS permissions;
    • Administrators and SYSTEM have FULL NTFS permissions